Question
The Consumer Data Right (CDR) rules - Part 5, Division 5.2 (Rule 5.10) states that:
5.10 Other conditions on accreditation
(1) The Data Recipient Accreditor may, in writing:
(a) impose any other condition on an accreditation:
(i) at the time of accreditation under subsection 56CA(1) of the Act; or
(ii) at any time after accreditation; and
(b) vary or remove any conditions imposed under this rule.
and that ...
(5) The Accreditor:
(a) may, but need not, give public notice of a condition or variation imposed or removed under this rule; and
(b) may do so in any way that the Accreditor thinks fit.
Example: The Accreditor could give public notice of a description of the effect of the conditions, rather than of the conditions themselves.
Given that these conditions could be varied and nebulous there is the potential of impact on data holders (DHs) when engaging or providing CDR data to an accredited data recipient (ADR)
As example - What if the condition is:
- the ADR is only allowed access to a subset of CDR data; or
- only able to receive a particular period of CDR data; or
- only able to hold authorisation for a particular period?
Are DHs required to identify and comply with these conditions?
If there is a breach of a condition due to CDR data passed from a DH to an ADR, where does liability sit?
Will these conditions placed on the ADR be within the metadata update endpoint i.e. DH be informed of these new imposed conditions via metadata update?
Regardless of whether it’s in the metadata end point or not, who will be liable to ensure the correct information has been shared between the ADR and the DH?
a. Will it be on the ADR – that they are only requesting the information they have been accredited for?
b. If a DH has packaged information, and there is a data set in that package – is it up to the ADR to only consume the information they are conditioned to or is it up the DH to remove the set of information ADR is not allowed to access?
Answer
In its role as the Data Recipient Accreditor, the ACCC is able to impose any condition on an accredited data recipient. Conditions on an accreditation may also not be public. In our Accreditation Guidelines, the ACCC has stated that:
The Accreditor may impose any conditions on accreditation at the time of accreditation or at any time after accreditation. It may also vary or remove any condition at any time after a condition is imposed. Conditions could relate to testing requirements, or specify that the accreditation is limited to the operation of particular websites or software products or alternatively mandate that certain websites or software products cannot be used. A condition, for example, may be to suspend the use or operation of an application. Any use of that application by the accredited person, including any attempt to seek to collect CDR data via that application would be a breach of its condition of accreditation.
Currently, any additional conditions that are imposed on accredited data recipients by the Data Recipient Accreditor are not discoverable via an endpoint. There is no technical implementation in either the standards or register design that prescribes how additional conditions imposed by the Data Recipient Accreditor are to be handled by data holders or accredited data recipients.
Under rule 5.13, an accredited person must comply with the conditions of their accreditation. On that basis, the onus is on the accredited data recipient to give effect to any condition(s) imposed on their accreditation. The requirement under rule 5.13 for an accredited person to comply with the conditions of their accreditation is a civil penalty provision.
Comments
0 comments
Please sign in to leave a comment.